Though no comment has been forthcoming from Apple yet, the mainstream press has been awash in reports that dozens of Hollywood celebrities had their iCloud accounts hacked over the Labor Day holiday weekend and, as you might have guessed, explicit images and videos have surfaced on the internet. News of the breach first surfaced on infamous website 4Chan where an unidentified individual offered to share the explicit material in exchange for bitcoin donations. Representatives for some of the celebrities confirmed the legitimacy of the material, and threatened legal action against both the hackers as well as the various websites where the the photos and videos started appearing. As of now, authorities are still trying to identify the party or parties responsible.
What this means for you:
Despite the numerous, very public incidents of famous people taking explicit photos of themselves and reaping the consequences (good or bad), everyone – famous and not – continues to underestimate the weakness of technology security on mobile devices and cloud platforms, as well as the fact that erasing a file on your smartphone does not necessarily equate to destroying it permanently. Both iOS and Android devices are designed to upload any photos or videos you take with your device to their respective cloud storage platforms, ostensibly to back them up in case of device loss, as well as to facilitate the ability to share them via the internet. What most don’t realize is the default for both platforms is to allow this, and you have to pay attention when setting up your device at the very start to disable this functionality. If you quickly punch “OK” through this process, you can easily miss this very important setting.
As always, if you need to store important information must remain confidential, cloud storage (iCloud, Dropbox, OneDrive, Google Drive, etc.) is a very high-risk option that should only be considered with eyes wide-open to the worst-case scenario. The terms of service/use for most of these platforms indemnify them from these types of breaches, so if even if your information was leaked through no personal fault of your own (as might be the above mentioned hack), it’s highly unlikely you will be able to hold anyone accountable aside from yourself.
The New York Times is reporting that the number of Android smartphones infected with a ransomware virus has grown to nearly one million devices in the past 30 days. Though the concept of ransomware is not new to the technology world, only minor outbreaks of this particularly nasty malware have been seen on mobile devices, and have either been quickly defeated or bypassed. Not so with this latest set of extortionware: most prolific is a trojan called ScarePackage, which, as the name suggests, locks your phone with a warning that the device has been used to commit a crime (child porn and media piracy are two of the most common tactics), and can only be unlocked by paying a fine to “law enforcement”.
What this means for you:
Up until now, the most common way Android devices were infected with malware like the above was through “sideloading” apps from questionable sources other than Google’s own “Play” store. Unfortunately, hackers seem to have perfected mobile browser drive-by infections so that they don’t even need to rely on someone bypassing the normal controls all Android phones ship with by default. It’s unclear whether Android antimalware apps (I use WebRoot’s SecureAnywhere) can protect you from drive-by infections reliably, but it does provide a layer of protection when installing apps and it will block suspicious text messages; both are a common source of malware infections. On top of installing malware protection on your mobile device, you should always be very careful surfing unknown or questionable websites, avoid installing brand-new, never-reviewed apps (sometimes trojans slip through Google’s malware screening), and always scrutinize the permissions that installed apps are requesting, especially the ones that ask for full administrative permissions or unfettered access to make mobile calls and send text messages.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Despite industry opposition and a failed first attempt, California’s governor signed into law a bill that requires smartphone manufacturers to install and enable kill switch functionality on all smartphones sold after July 1, 2015. Though California isn’t the first state to enact a killswitch law – Minnesota enacted a similar law back in May – it’s the first to require that the kill switch be enabled by factory default. Opponents of the law were quick to point out that any state’s effort to enforce this capability are redundant, as many smartphones already have this functionality, and it is quickly becoming a standard for all manufacturers. Both Apple and Samsung feature some variation of activation locking that prevents stolen phones from being used, but as the authors of the California bill were quick to point out, having it available and actually enabling it are two different things.
What this means for you:
Even if you aren’t a California or Minnesota resident, it’s possible you already own a phone that has some form of kill switch capability, especially if the device was made in the past two years. Even if you are one of the careful 9 out of 10 people who hasn’t had a smartphone stolen, you should enable any kill switch and anti-theft capabilities your phone has to offer, including putting a passcode of some form on your phone. Misplacing a phone could be just as devestating without it, and even though it wasn’t technically “stolen”, no kill switch means that a less scrupulous individual just got a brand new smartphone for free. You should also enable recovery and theft prevention features on any tablet you own – both iOS and Android offer location and security as standard features of the OS – and keep in mind that California’s law only applies to smartphones, not tablets.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Supermarket chains Supervalu, Albertons and Jewel-Osco have joined the illustrious list of large retailers hacked (presumably) for their vast datastores of shopper identities and credit card information. Investigation is still ongoing in both cases as to whether hackers actually managed to retrieve shopper data during the breaches, and whether the data is being used illegally elsewhere. Though the details of the hacks have not been revealed, security analysts are speculating that the hackers probably compromised point-of-sale machines, similar to the attacks that breached Target in 2013.
What this means for you:
As you can imagine, based upon the difficulties of trying to secure your own personal devices, securing a large network of heavily used and highly exposed computers is tricky business. Even the slightest misstep can lead to cybercriminals pouncing on you like a pack of wild hyenas. Large chains like the ones affected above are continuously under attack from multiple vectors primarily because of the type of data hackers absolutely know they have. The best way to descibe the current war between corporate enterprise and cybercriminals would be that of a siege, with the “good guys” turtling up behind walls that being hammered on relentlessly. And as in any siege, even the smallest breach of that wall can lead to a complete razing of the besieged. Unfortunately, the good guys are struggling to innovate as fast as the bad guys who are heavily invested in winning these types of battles, as the stakes can result in huge payoffs in stolen credentials.
As mentioned, none of the supermarket chains have verified that data has been stolen, but if you happen to shop at any of the listed establishments with your credit card, you may want to consider having your credit card company issue you a new number.
Common sense tells us that a long, complex password is inherently better than short, simple password primarily because it makes it harder for humans to guess what it might be based upon what they know about the user. However, when computers can brute-force a solution to even the most complex passwords within minutes, a lot of people are starting to question why they bother at all. That’s ever more so the case in light of a recent discovery that Russian hackers have amassed nearly 1.2 billion unique compromised credentials in a series of hacks targeting nearly half a million websites. Investigation into some of the hacked sites has revealed that though you may have put some effort into creating a complex password, the website you created it for didn’t invest nearly as much effort in keeping it safe. In some cases, the passwords stolen were originally stored “in the clear”, ie. not encrypted.
What this means for you:
Sadly, the industry as a whole is still scrambling to come up with a solution to the failure of passwords as a security mechanism. So far, the best some sites can offer is 2 or 3-factor authentication, and as can be surmised from the lackluster adoption of this form of protection, most people will opt for the simpler, less secure method when they aren’t required to do otherwise. As for what to do about the above? Go out there and change your passwords on all your important accounts, and enable 2-factor where available, especially on your critical business services like email, banking and file-sharing sites. It’s highly likely one of your passwords is part of this huge hacker database, and it could be used against you very soon.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
When it first occurred, connecting things to the internet seemed more like a gimmick than anything practical. Remember that fridge that was supposed to know when you need to buy more milk and would email you a reminder? Even though that particular concept still hasn’t really caught on (though it should!) plenty of other things in our houses and workplaces are connected to the web, to the point where we don’t even consider it gimmicky anymore. Cars that can be started via an iPhone app? Sure! Security cameras that text you when they detect motion? Why not? How about thermostats and lighting that can be adjusted via wifi? Done! Except for a “little” problem: this growing “internet of things” is just as bad (if not worse) at security as the rest of the internet. A security study by technology giant HP took a look at the 10 most popular internet-enabled devices and discovered each device had at least 25 security vulnerabilities that could lead to terrible things.
What this means for you:
Most of my clients have a healthy respect (if not fear) of the internet and its tireless ability to invade your privacy, and typically make more informed choices than the general public, but as more and more devices come “connected” right out of the box, it’s easy to fall into the convenience trap of plugging the thing in and moving on to the next item on the to-do list. What this will eventually mean is people are surrounding themselves with devices that, taken as a whole, can provide an incredible amount of detail about their supposed “private” life. And those devices are all connected to the internet. Unless manufacturers starting upping their security standards (or the market forces them to), we may all find ourselves living a rather exposed existence. So the next time you are considering a device that is “internet” enabled, consider whether or not you are ready (and willing) to understand exactly how that device secures itself from hacking, and whether its worth the convenience.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
Researchers at Bluebox Security have published an unsettling discovery in the Android operating system that is the digital equivalent of a law enforcement official neglecting to verify if your driver’s license is actually real whenever you submit it as proof of your identity. Oh, and this little bug has been around since version 2.1 of the OS, which was released in January 2010. The real problem with this bug (aside from it being over 4 years old and still unpatched) is that it has the potential to grant malware written to take advantage of this bug an unprecedented level of access to your phone. While Google has acknowledged Bluebox’s finding, there is still no word on when this serious flaw will be fixed.
What this means for you:
Normally, Android apps installed on your phone are “sandboxed” into their own spaces, preventing them from interacting with other apps without permission. However, there are a certain set of apps that are allowed access to other apps, ostensibly to provide services to those apps. A well known example of a “super-privileged” app is Adobe’s Flash Player (before it was removed from the Play Store in Android 4.4) which was granted privileges to other apps primarily to provide rendering and playback services for Flash content. Each app comes with its own security certificate that is supposed to verify the apps identity and authenticity. Except because of the above-mentioned bug, your Android phone doesn’t bother to verify if the certificate itself was issued by a proper authority. Oops.
Until Google fixes this bug, be very careful installing new apps that appear on the Play store, especially if you are directed to one via suspicious email or social media. Even though Google supposedly checks every single app made available on the Play Store, hackers and security researchers have been able to sneak malware into the store for a short period of time. And definitely do not side-load apps. Hopefully I don’t need to explain just how bad having malware on your phone could be, especially one that could interact with things like your contact list, banking apps and social media accounts.
Despite the fact that everyone (including me) has been telling you that encryption makes the data stored on your smartphone safer, it would seem that is not necessarily the case for iOS devices. Renowned iPhone hacker, developer and author Jonathan Zdziarski presented a large body of research and evidence that Apple has built backdoor data access into its devices for some time, and not just the kind required by law enforcement for warranted search or for troubleshooting and debugging. Also damning was the fact that these processes and services aren’t documented at all by Apple, but are apparently well-known by various law enforcement agencies and forensic data specialists. And the cherry on top? The encryption on your iPhone can easily be bypassed by these backdoor tools through USB connections, wifi and possibly even cellular connections.
What this means for you:
According to Mr. Zdziarski’s findings, iPhone encryption is essentially bypassed because iOS maintains a base state of authentication even if your phone is “locked” with a pin or password. The tools and services running quietly in the background of your device have direct access to your data, and not just the “anonymous” or “non-identifying” data that Apple collects for performance and troubleshooting purposes. Apple has yet to comment on Mr. Zdziarski’s findings, but the growing media attention on this issue will likely force a response from the Cupertino company. Unfortunately, there is not much you can do about this, as these backdoors are so deeply embedded in the operating system of iOS that removing or disabling them is impossible. You can, of course, demonstrate your displeasure by contacting your local congress-critter, providing feedback to Apple, as well as restraining yourself from buying Apple products until they address everyone’s privacy concerns. Given Apple’s strangle-hold on the smartphone market, they have very little incentive to change anything unless consumer sentiment starts to sway against them on this issue.
A new battle front just opened up in the corporate espionage cyberwar. Security firm TrapX has released information on a new attack that appears to be focused on shipping and logistics firms, and is being delivered via hand-held inventory scanners made by a specific manufacturer in China. The wireless devices appear to contain malware that once connected to a company’s corporate network targets enterprise resource planning (ERP) servers and attempts to compromise them through a variety of known weaknesses. If successful it then facilitates the installation of command-and-control malware that provides a backdoor on the compromised server to an unidentified location in China. The manufacturer of the scanners has denied the devices were intentionally shipped with the malware, but their close proximity to the Lanxiang Vocational School (allegedly tied to other infamous hacking incidents) has raised security eyebrows everywhere.
What this means for you:
It’s a safe bet that you probably won’t be directly affected by this particular hacking vector unless you are one of the handful of firms who bought and used the devices before the manufacturer rectified the issue. However, this is just another crack in the dangerously swollen dike that is technology security, and the white hats are rapidly running out of fingers and toes with which to plug the holes. The fact that the Chinese have targeted supply chain technologies means they are fishing for big data to steal, and the amount of money (and power) at stake is enough for the bad guys to continually search out new ways to compromise and breach businesses. They know they have the good guys over a barrel, as we have to continually try to guess where the next mole will pop up in a playing grid with an infinite number of holes. Will we get to a point that we have to run a malware scan on anything with electronics and a means to transmit data? It’s starting to look that way.
Ahead of a court order that is still pending, Google has blocked delivery of a single email mistakenly sent to a wrong address at the request of the sender’s employer. As most of you can attest, doing something like this, while technically possible within certain parameters, is usually not done for a variety of reasons, not the least of which is opening the Pandora’s box of requests for Google to do the same thing for every email sent to the wrong address or for the wrong reasons. In this particular instance, the sender was a contractor for Goldman Sachs, and the email in question contained significant sensitive customer data sent to the wrong address. Rather than risking a signficant exposure for the customers whose data was contained in the email, on top of saving Goldman Sachs from considerable liability, Google acquiesced to the request, which normally requires a court order.
What this means for you:
The only reason this was even possible in the first place was because the unintended recipient hadn’t actually accessed the account since the email was sent, and therefore Google knew for certain that the email wouldn’t have been read, and there could be “un-sent.” You may have experienced both the relief and disappointment of attempting to “unsend” emails via your own company’s Exchange server, which can call back unread emails, but once the email has been opened by the recipient, intended or not, there’s no way to unsend it. What you should really be taking away from this was why someone was using email to send a report with such sensitive information in the first place. In this case, convenience and ease of use led to a near-catastrophic breach. Do you use email to exchange confidential information with other parties? If you do, you should carefully consider the consequences of a mis-delivered email, and what it might cost your organization.











